An easy way to browse the internet in anonymity and privacy? Not so fast.
2014 made privacy into a business model -- and spawned an overwhelming amount of unscrupulous charlatans eager to capitalize on a frightened public.
Unfortunately for those who don't know the finer details of computer security, many of these exploitative profiteers are equally clueless about the tech that should support the wild privacy promises they're making.
That hasn't stopped them from continuing to get lots of false, free publicity -- and making a tidy sum off consumers they've conned.
Like a cockroach that won't die, the crown prince of sleazy privacy profiteers has to be Anonabox.
Setting a new (low) standard for the current, surging wave of false-promise privacy hardware products, Anonabox made headlines with gullible tech press in early October with its Kickstarter promising a tiny box that would "anonymize everything you do online."
Wired breathlessly wrote, "Now routing all your traffic through Tor may be as simple as putting a portable hardware condom on your ethernet cable."
Anonabox's creator, August Germar, was quoted under glowing headlines from Guardian, ReadWrite, Wired, DailyDot, TechCrunch and more spinning his product as a "cloaking device" that he'd been working for four years (citing the Arab Spring as their inspiration), which was an open source, custom hardware, "plug and play" Tor-in-a-box device designed by him and his team.
Anonabox was positioned as a magic box that would protect everyone against hackers, spies, repressive regimes and the NSA. Even Glenn Greenwald's technologist (former EFF staffer) Micah Lee was initially duped by Germar's promises, telling Wired, "If you're using something like this, everything goes over Tor, so that [the risk of malware uncloaking users over a non-Tor connection] can't happen."
Within two days the Kickstarter project, which began at $7500, blew up into a $600,000 funding sensation.
It also drew enough attention to Germar's dangerously false promises that Germar's con unraveled, fast. Within a week of all the great PR, funders began withdrawing their dollars in droves, and public outcry pushed Kickstarter to suspend Anonabox's funding campaign.
Thanks to infosec community chatter on Twitter and the Reddit thread, funders and observers discovered Anonabox's entire hardware package was actually an off-the-shelf Chinese router.
Images on the Anonabox Kickstarter page (and used on press features) of its casing and PCB were of a cheap Chinese router from e-tailer Alixpress, altered to remove its branding. Germar's 'open source hardware' was actually mass-manufactured and distributed worldwide.
It didn't get better when Mr. Germar inadvertently revealed he most likely didn't really understand Tor.
-- Violet Blue ® (@violetblue) October 15, 2014
Anonabox was, in fact, a device that would most likely endanger the people it marketed itself to protect.
Steve Lord from IT Security Guru reported in a recap,
Amongst the few configuration files provided, substantial vulnerabilities were found, including an open unencrypted wireless hotspot and a trivially cracked default password on all devices.
Another claim was that all traffic passed through popular anonymity software Tor was trivially debunked by looking at the firewall configuration. That appeared to be poorly implemented and allowed some traffic to pass through.
Finally, there was a ludicrous claim that all communications were encrypted, deemed a ludicrous claim as only traffic sent over Tor was encrypted, and even then only at the point of entering Tor.
As the house of cards came crashing down, Ars Technica reported, "Redditors and others discovered that there was a hashed root password installed on all Anonaboxes -- that password was cracked, and found to be "developer!" an obviously weak password."
To top it off, Germar's Tor package was revealed to be uncredited work belonging to PORTAL, whose developers were understandably furious.
Facing pointed comments on Kickstarter, Twitter, and a Reddit AMA where commenters wouldn't let him off the hook, Germar responded at times evasively, at others, with cluelessness that erred on ignoring direct questions.
He was supported by a spitefully-commenting 'friend' who incessantly, aggressively attacked and trolled anyone who criticized Anonabox, at one point amassing over 400 vitriolic comments on Anonabox's Kickstarter page alone.
Despite a very public display of misleading everyone, press outlets reporting flaws so bad that an Anonabox would actually be worse than nothing, Germar newly shown to be misrepresenting his involvement with the Tor Project, Anonabox isn't giving up on the privacy profiteering revenue stream anytime soon.
As of this writing, the Anonabox Indiegogo funding campaign, only midway through its funding period, has raised $38,671 (with its goal at $13,370).
Wemagin: A descent into madness
If you thought the behavior of Germar and pals was like a film treatment straight out of the Sony Pictures Entertainment IT department, meet Wemagin -- with its funding completed at $54,607.
Where Anonabox looks like it comes from a dude who tells people to call him Scorpion, and puts about as much subtlety into his copywriting as his fabrications, Wemagin is among the pedigree of privacy profiteer that knows a slick package increases the appearance of legitimacy.
At least this time, no one really fell for it. Well... except Kickstarter, Wemagin's hopeful backers, and at least one gaming blogger.
Neatly co-opting Anonymous in its Kickstarter branding package, Wemagin ("The world's first Windows based USB privacy gadget that's simple to use") invites us to "join the privacy movement" and says it does some pretty amazing -- though impossible -- stuff:
WEMAGIN states it: "Can be used with public PC," "Unblocks restricted websites," "Is protected on public Wifi," "Is military grade," "Is waterproof," "Is recyclable," has "Unlimited cloud storage," "Is not a proxy or Tor," and "Blocks key loggers."
According to its Kickstarter, use of Wemagin also stops search engine and advertiser tracking, and says you'll "protect your computer by leaving nothing behind. No cache, cookies, or history." Its 'Timeline' section also promises "Successful testing of spy cam blocker" and "Successful tracking down device if lost or stolen!"
Where Anonabox pulled its back-story feels from trading off the Arab Spring, Wemagin goes much further. Wemagin tells the kind of tale that would make anyone questioning it look like a bad person -- while, disturbingly, telling us exactly who this device puts at risk if it doesn't do exactly what the marketing materials claim.
Inventor Steve Kim tells us he used to think that privacy was a hopeless idea. And then...
That all changed, one fateful day, when I met a young girl from North Korea trapped in China. At the tender age of 15, she was sold as a bride into China and was chained down by her ankle whenever the man left the house. After her escape, she lived to share her story and sought help to find her family.
It was after meeting this girl that privacy took on a new and deeper meaning for me. It was no longer just a constitutional right, but a human right. A matter of life and death. I, then, decided to find a way to help such children, to provide a device which they could use to reach out for help without the fear of being detected on the computer or on the internet.
Needless to say, after the very public man-behind-the-curtain moment with Anonabox, people were very skeptical about Wemagin's claims. And just as with Mr. Germar's magic Tor box, people who pointed out serious problems with the project were attacked by trolls who seemed... conspicuously emotionally invested in the project.
Unable to answer technical questions and frustrated by the persistence from the info sec community, Wemagin published a series of Kickstarter updates about bullying, where Mr. Kim likened his plight to what must have been suffered by The Wright Brothers and Alexander Graham Bell and characterized those asking questions as 'bullies' and stalkers.
Verification was re-spun as persecution. In one Kickstarter update [indirectly] addressing researchers who called out the product for details to back up its claims, Kim wrote, "If we lived in a different time, some might be advocating burning me at the stake, as was done at the Salem, Massachusetts witches trials."
Security researcher cybergibbons was most certainly one of those skeptical about Wemagin's incredible claims. His measured examination Wemagin is Wemaginary neatly dissected a whole lot of Wemagin's problematic claims, in numbered order. Highlights include:
7. The creator has loosely confirmed that both the customer and Wemagin will hold the encryption keys for the data in the cloud:
Question: [you] will not meet our needs because using the Dropbox model means Wemagin will have access to users' stored files, and may be able to turn them over to 3rd parties. Will you be offering VPN service without the bundled cloud storage? Answer: Our cloud is given for free with our VPN. Wemagin has the ability to view. We are not concerned about what you have. At this stage, we need to trust each other.
17. The promotional video showed logins using the onscreen keyboard.
These logins actually worked. (...)
In a creepy twist to the immature privacy profiteer dude narrative, the "Wemaginary" post also reveals the trolling, stalking, impersonation and harassment at the hands of Wemagin that some researchers experienced -- himself included -- as he tried to get his questions answered.
11. (...) Steve [Kim]'s comments aren't any better. The one where he searches for Rajan's details, gets them wrong, and then goes on a paranoid rant about competitors is particularly good.
Wemagin team member Paul Lee/Tom Smith (aka Cannysage Studios) threatened to dox cybergibbons and his family (on Kickstarter), found personal photos of him and defaced them, then Lee admitted he posted 'something he was emailed' on a Subaru car aficionado forum alleging that cybergibbons had made specific anti-Japanese racial slurs, telling forum members to visit an included link to look at nude photos of cybergibbons' wife.
After trying to get answers and dealing with nothing but smokescreen and harassment, previously even-tempered researcher Rajan broke -- and laid it all out in the Kickstarter's comments.
4 of the 8 "ground breaking" features are a result of work done by China World Connection (CWC). Steve's amazing "military grade," waterproof, recyclable USB drive can be yours and engraved with your company logo for $3.00-$7.50... They even did the "works instantly. just plug in and login!" part because CWC provides the USB drives with "Preload data service... Auto-run (undeletable)"
The "unlimited cloud storage" feature comes direct from Livedrive.com. He's using their "white label reseller program." Steve is paying £39.95/month for an unlimited number of users and space. Livedrive even provides the Windows compatible program for him, and Steve did was add his logo.
-- Asher Langton (@AsherLangton) December 1, 2014
The height of privacy profiteer shadiness -- if there can be such a thing -- was undoubtedly reached when it was time for Wemagin to meet its Kickstarter deadline.
-- Asher Langton (@AsherLangton) December 8, 2014
-- Asher Langton (@AsherLangton) December 8, 2014
It might have been at this point that a few people started to lose faith in Kickstarter.
Why can't everyone realize the level of scam on these type of claims should have them unlisted a long time ago? https://t.co/WNS9TycRCG
-- Ale✖aﬡdre Ḡʊédoη (@PeerProd) December 10, 2014
Yet another cloaking device...
Offering simple and convenient solutions to privacy and security bogeymen, 2014's lesson is that these products are seldom what they seem.
Built on false promises and untested everything, they consistently manage to fool reporters, investors and consumers in large numbers -- and it's only getting worse.
Webcloaksecure's Kickstarter ("an advanced USB stick that allows you to anonymously browse the web while protecting you from viruses and theft") as of this writing is at $23,359 of its $60K goal.
According to Webcloak, Webcloak would have singlehandedly prevented the Sony Pictures Entertainment hack.
-- Asher Langton (@AsherLangton) December 3, 2014
-- Asher Langton (@AsherLangton) December 13, 2014
Privacy profiteering as a scam is a trend that's on the rise.
Like hacking, digital privacy is a confusing, shifting landscape for most people -- and anyone who comes along offering an easy solution is going to find an eager market quick to pay for the convenience.
We're in the new economy of so-called accident lawyers. The huge hacks on large companies resulting in an overwhelming amount of personal privacy violations -- on top of fears fueled by NSA citizen-surveillance stories -- are a green light for the peddlers of fraudulent privacy and security products.
We're not alone focusing our anxieties on one modern threat or another. As seen with Anonabox, these products can fool even the most established pundits.
However, it's not impossible to protect ourselves and our businesses from privacy snake oil salesmen.
- Like with our news sources online, we need to be critical shoppers with all privacy products, no matter how trusted the source.
- Search for people talking about the product, read blog posts, search out trusted voices in security -- see what the chatter is on a product.
- Look for evidence that the product has been independently audited, and find out if the 'beta testers' are more than the inventor's buddies.
- Look for "red flag", false and impossible promises. For instance, if someone claims "government grade encryption" -- they're lying.
- Also avoid products that offer to "leave no trace" -- this is a commonly abused claim.
- The bottom line should be, if a privacy product sounds too good to be true, then some aspect of it certainly is.
Perhaps worst of all is that these devices market security and anonymity as a promise specifically to people who need it the most.
People like journalists in countries of conflict, pro-democracy activists in totalitarian countries, would-be refugees, and NGO workers (think Doctors Without Borders) whose lives are literally on the line.
At worst, the people making these products are of the most toxic kind of people, who have an inherent inability to understand or empathize with other human beings. These are people who don't leave the hermetic seal of profit.
At best, it's a poorly paved road of good intentions.